cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 11 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

In order for the binary to work properly with pkg-ctrl, the binary must meet the following criteria:

 

1. File must be allowed to execute (solidification or Signed) 

2. File must be UPDATER. 

See pg. 30 and pg 69

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26172/en_US/...

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

Your answer means that uninstallation is not allowed despite the uninstall feature being enabled.

I already know that updaters can do that.

What i am saying is that the updater-auto-promote of installers introduces a problem. Solidcore seems to be incapable to detect uninstallers and because of that end users will experience weird problems if the updater-auto-promote feature is being utilized. End users can install allowed software but are incapable of uninstall the same software they installed, despite the uninstall permission setting.

The workaround/solution is to always sign installers and uninstallers with special updater signatures.
"sadmin cert add -t AuthorizedUpdater -u Authorized_Updater.crt". With this solution it is not possible to disallow uninstalls. Obviously this renders the updater-auto-promote feature useless.

I have a hard time judging wether the described problematic behaviour or my solution introduces security problems. I don't see any at the moment.

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 13 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

If you dont want installers to uninstall, this just run "sadmin features disable pkg-ctrl-allow-uninstall"

this will block all uninstallers. 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

No, that is not what i want.

And no, its does not block all uninstallers. Those with updater permission (via certificate) are not blocked by this setting (as expected).

Re: Signed installer gets binaries auto white-listed

Jump to solution

What i want is to allow the user to install and remove special authorized (and therefore trusted) software.

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 16 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

You could scrap the idea of updater cert. And use trusted directory with updater permissions, that only you can control what goes in here. And ran from here. 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

I don't think that will work.

... kind of a chicken and egg problem.

We sell these machines, we do not have a way of directly access the machines. I won't be able to distribute the software into such a protected folder unless i write an updater tool that does it. Then how do i update the updater? Now we are back to updater certs, right? How else can i allow something to run from the distance? I think certificates (wether updater or not) are the best solution to embedd trust / pre-athorize our (future) software in the OS-Images that i create.

 

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 18 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

well could you ban the hash of your unnistall.exe... then it would never run because even with authorized cert.. block would take precendence. 

 

Check out "Sadmin help auth"

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 19 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

or even ban by name..

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator